[Openswan Users] OpenSwan x Checkpoint
William Ferraz
william.ferraz at inmetrics.com.br
Wed Jul 15 12:22:10 EDT 2009
Hi Paul,
Sorry for long time.
Well asking your questions:
> Any reason why to change these lifetimes from the default?
Yes, by definition of checkpint administrator.
> You are using netkey?
Well, when I do emerge openswan on my gentoo linux. That software is
compiled with netkey activated. I don't know why.
> Seems that connection came up fine.
Yes, but I can't use the services of the other side.
Anyway, the log without plutodebug:
ipsec_setup: Starting Openswan IPsec
U2.6.21/K2.6.29-gentoo-r1...
ipsec_setup: multiple ip addresses, using 200.xxx.xxx.234 on
eth0
ipsec_setup: Warning: ignored obsolete keyword (null)
[ ok ]
Jul 15 13:11:12 firewall pluto[29165]: | exchange type:
ISAKMP_XCHG_INFO
Jul 15 13:11:12 firewall pluto[29165]: | flags:
ISAKMP_FLAG_ENCRYPTION
Jul 15 13:11:12 firewall pluto[29165]: | message ID: 53 8d de c6
Jul 15 13:11:12 firewall pluto[29165]: | ***emit ISAKMP Hash Payload:
Jul 15 13:11:12 firewall pluto[29165]: | next payload type:
ISAKMP_NEXT_D
Jul 15 13:11:12 firewall pluto[29165]: | emitting 20 zero bytes of
HASH(1) into ISAKMP Hash Payload
Jul 15 13:11:12 firewall pluto[29165]: | emitting length of ISAKMP Hash
Payload: 24
Jul 15 13:11:12 firewall pluto[29165]: | ***emit ISAKMP Delete Payload:
Jul 15 13:11:12 firewall pluto[29165]: | next payload type:
ISAKMP_NEXT_NONE
Jul 15 13:11:12 firewall pluto[29165]: | DOI: ISAKMP_DOI_IPSEC
Jul 15 13:11:12 firewall pluto[29165]: | protocol ID: 1
Jul 15 13:11:12 firewall pluto[29165]: | SPI size: 16
Jul 15 13:11:12 firewall pluto[29165]: | number of SPIs: 1
Jul 15 13:11:12 firewall pluto[29165]: | emitting 16 raw bytes of delete
payload into ISAKMP Delete Payload
Jul 15 13:11:12 firewall pluto[29165]: | delete payload 0a 30 cf d7 a3
4b a3 9e 23 a8 e1 71 6f ae 4b 83
Jul 15 13:11:12 firewall pluto[29165]: | emitting length of ISAKMP
Delete Payload: 28
Jul 15 13:11:12 firewall pluto[29165]: | HASH(1) computed:
Jul 15 13:11:12 firewall pluto[29165]: | 93 91 19 83 31 69 49 de dc
c7 c2 6d 77 75 ee ce
Jul 15 13:11:12 firewall pluto[29165]: | 91 4f 33 13
Jul 15 13:11:12 firewall pluto[29165]: | last Phase 1 IV: b3 73 e6 6b
56 3d 01 2d ad 9c 6f 69 d6 8b 25 92
Jul 15 13:11:12 firewall pluto[29165]: | current Phase 1 IV: b3 73 e6
6b 56 3d 01 2d ad 9c 6f 69 d6 8b 25 92
Jul 15 13:11:12 firewall pluto[29165]: | computed Phase 2 IV:
Jul 15 13:11:12 firewall pluto[29165]: | a2 dd 89 70 2b ed ae 48 16
8c ff 6a bd f0 06 d1
Jul 15 13:11:12 firewall pluto[29165]: | 12 ec 96 aa
Jul 15 13:11:12 firewall pluto[29165]: | encrypting:
Jul 15 13:11:12 firewall pluto[29165]: | 0c 00 00 18 93 91 19 83 31
69 49 de dc c7 c2 6d
Jul 15 13:11:12 firewall pluto[29165]: | 77 75 ee ce 91 4f 33 13 00
00 00 1c 00 00 00 01
Jul 15 13:11:12 firewall pluto[29165]: | 01 10 00 01 0a 30 cf d7 a3
4b a3 9e 23 a8 e1 71
Jul 15 13:11:12 firewall pluto[29165]: | 6f ae 4b 83
Jul 15 13:11:12 firewall pluto[29165]: | IV:
Jul 15 13:11:12 firewall pluto[29165]: | a2 dd 89 70 2b ed ae 48 16
8c ff 6a bd f0 06 d1
Jul 15 13:11:12 firewall pluto[29165]: | 12 ec 96 aa
Jul 15 13:11:12 firewall pluto[29165]: | unpadded size is: 52
Jul 15 13:11:12 firewall pluto[29165]: | emitting 12 zero bytes of
encryption padding into ISAKMP Message
Jul 15 13:11:12 firewall pluto[29165]: | encrypting 64 using
OAKLEY_AES_CBC
Jul 15 13:11:12 firewall pluto[29165]: | next IV: d5 1f d7 fb 87 4b 11
55 c4 ac c9 5f cb da b7 29
Jul 15 13:11:12 firewall pluto[29165]: | emitting length of ISAKMP
Message: 92
Jul 15 13:11:12 firewall pluto[29165]: | sending 92 bytes for delete
notify through eth0:500 to 201.xxx.xxx.20:500 (using #9690)
Jul 15 13:11:12 firewall pluto[29165]: | 0a 30 cf d7 a3 4b a3 9e 23
a8 e1 71 6f ae 4b 83
Jul 15 13:11:12 firewall pluto[29165]: | 08 10 05 01 53 8d de c6 00
00 00 5c 2b 79 53 d1
Jul 15 13:11:12 firewall pluto[29165]: | 4e d3 13 db 72 60 07 d6 d7
e5 5b 40 0d 90 ce 67
Jul 15 13:11:12 firewall pluto[29165]: | 8c 95 b8 b6 d7 a6 ae 33 f7
6f 58 ef 64 1d ae be
Jul 15 13:11:12 firewall pluto[29165]: | 20 d8 ef 40 31 ae 98 5d f7
2c fa a5 d5 1f d7 fb
Jul 15 13:11:12 firewall pluto[29165]: | 87 4b 11 55 c4 ac c9 5f cb
da b7 29
Jul 15 13:11:12 firewall pluto[29165]: | deleting event for #9690
Jul 15 13:11:12 firewall pluto[29165]: | no suspended cryptographic
state for 9690
Jul 15 13:11:12 firewall pluto[29165]: | ICOOKIE: 0a 30 cf d7 a3 4b a3
9e
Jul 15 13:11:12 firewall pluto[29165]: | RCOOKIE: 23 a8 e1 71 6f ae 4b
83
Jul 15 13:11:12 firewall pluto[29165]: | state hash entry 21
Jul 15 13:11:12 firewall pluto[29165]: | next event EVENT_RETRANSMIT in
30 seconds for #9711
William Ferraz
williamferraz at inmetrics.com.br
+55-11-3555-6825
+55-11-9493-3475
http://www.inmetrics.com.br
Avenida Guido Caloi, 1000 - bloco 4
- 4 andar
Condom〓nio Panam〓rica Park
05802-140 S〓o Paulo SP Brasil
On Mon, 2009-07-06 at 11:38 -0400, Paul Wouters wrote:
> On Mon, 6 Jul 2009, William Ferraz wrote:
>
> > I need some help to connect my firewall with gentoo-linux and openswan to
> > Check Point NGX R62.
>
> > firewall ~ # ipsec look
>
> Note ipsec look does not work when using netkey.
>
> > # basic configuration
> > config setup
> > interfaces="%defaultroute"
> >
> > # plutodebug / klipsdebug = "all", "none" or a combation from below:
> > #
> > # "raw crypt parsing emitting control klips pfkey natt x509 private"
> > # eg: plutodebug="control parsing"
> > #
> >
> > klipsdebug="all"
> > plutodebug="all"
> > # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
>
> I guess I should have said "openswan developer" :P
>
> > conn inm-net
> > keyexchange=ike
> > ike=aes256-sha1-modp1024
> > aggrmode=no
> > type=tunnel
> > pfs=no
> > ikelifetime=1440s
> > keylife=3600s
>
> Any reason why to change these lifetimes from the default?
>
> > left=200.XXX.XXX.234
> > leftnexthop=200.XXX.XXX.233
> > leftsubnet=10.10.11.0/24
> > leftupdown=/usr/lib/ipsec/_updown
>
> leave out leftupdown= if you are using the default updown script.
>
> > right=201.XXX.XXX.20
> > rightnexthop=201.XXX.XXX.1
> > rightsubnet=5.16.8.0/24
> > auth=esp
> > authby=secret
> > esp=aes128-sha1
> > auto=start
>
> > 200.XXX.XXX.234 201.XXX.XXX.20 : PSK "<my secret are oculted>"
>
> > Log:
> > Jul 6 10:30:20 firewall pluto[11204]: "inm-net" #3: transition from
> > state STATE_QUICK_I1 to state STATE_QUICK_I2
> > Jul 6 10:30:20 firewall pluto[11204]: | deleting event for #3
> > Jul 6 10:30:20 firewall pluto[11204]: | sending reply packet to
> > 201.XXX.XXX.20:500 (from port 500)
> > Jul 6 10:30:20 firewall pluto[11204]: | sending 60 bytes for
> > STATE_QUICK_I1 through eth0:500 to 201.XXX.XXX.20:500 (using #3)
> > Jul 6 10:30:20 firewall pluto[11204]: | ed 72 75 18 6a 9e fe 70 70
> > b3 3a 30 a2 94 be 26
> > Jul 6 10:30:20 firewall pluto[11204]: | 08 10 20 01 9d 07 bd 62 00
> > 00 00 3c 3d 95 1a 89
>
> This is why you should not enable all debug. Please show a log without
> specifying plutodebug=
>
> > Jul 6 10:30:20 firewall pluto[11204]: "inm-net" #3: STATE_QUICK_I2: sent
> > QI2, IPsec SA established tunnel mode {ESP=>0x42b8a16c <0x5bfeed6b
> > xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> Seems that connection came up fine.
>
> > My interface ipsec0 don't start and I don't connect to any service on the
> > other network.
>
> You are using netkey? Then there are no ipsecX interfaces.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090715/65e32e24/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: skype-call-me-button.png
Type: image/png
Size: 1401 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090715/65e32e24/attachment-0001.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_inmetrics.jpg
Type: image/jpeg
Size: 2202 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090715/65e32e24/attachment-0001.jpg
More information about the Users
mailing list